From ce765fba9cf9fd1c4b1981ab137df35c4b662b04 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Fri, 6 Apr 2012 17:17:03 +0000
Subject: Fixed ! handling for several rule options, fixed reading of icmptype,
 fixed comments broken by escapes

Thanks to Der Tiger <der.tiger.alpine@arcor.de> for reporting
---
 iptables-model.lua | 45 +++++++++++++++++++++++++--------------------
 1 file changed, 25 insertions(+), 20 deletions(-)

diff --git a/iptables-model.lua b/iptables-model.lua
index 5a1310a..d1443d3 100644
--- a/iptables-model.lua
+++ b/iptables-model.lua
@@ -121,6 +121,7 @@ end
 local function generate_rule_specification(rule)
 	local spec = {}
 
+	-- notfirst parameter indicates that the "not" (!) must come before the option name
 	function addparameter(value, option, notfirst)
 		if value ~= "" then
 			if string.find(value, "^!") then
@@ -132,7 +133,7 @@ local function generate_rule_specification(rule)
 				end
 			end
 			spec[#spec + 1] = option
-			spec[#spec + 1] = value
+			spec[#spec + 1] = format.escapespecialcharacters(value)
 		end
 	end
 	function addmodule(values, mod)
@@ -144,13 +145,13 @@ local function generate_rule_specification(rule)
 		end
 	end
 
-	addparameter(rule.value.protocol.value, "-p")
-	addparameter(rule.value.source.value, "-s")
-	addparameter(rule.value.destination.value, "-d")
+	addparameter(rule.value.protocol.value, "-p", true)
+	addparameter(rule.value.source.value, "-s", true)
+	addparameter(rule.value.destination.value, "-d", true)
 	addparameter(rule.value.jump.value, "-j")
 	addparameter(rule.value.goto.value, "-g")
-	addparameter(rule.value.in_interface.value, "-i")
-	addparameter(rule.value.out_interface.value, "-o")
+	addparameter(rule.value.in_interface.value, "-i", true)
+	addparameter(rule.value.out_interface.value, "-o", true)
 	if rule.value.fragment.value == "!" then
 		spec[#spec + 1] = "! -f"
 	elseif rule.value.fragment.value ~= "" then
@@ -162,27 +163,28 @@ local function generate_rule_specification(rule)
 	addparameter(rule.value.addrtype_dst_type.value, "--dst-type")
 	addmodule({rule.value.comment.value}, "comment")
 	if rule.value.comment.value ~= "" then
-		addparameter('"' .. rule.value.comment.value .. '"', "--comment")
+		spec[#spec + 1] = "--comment"
+		spec[#spec + 1] = '"' .. rule.value.comment.value .. '"'
 	end
 	addmodule({rule.value.icmp_type.value}, "icmp")
-	addparameter(rule.value.icmp_type.value, "--icmp-type", false)
+	addparameter(rule.value.icmp_type.value, "--icmp-type", true)
 	addmodule({rule.value.src_range.value, rule.value.dst_range.value}, "iprange")
 	addparameter(rule.value.src_range.value, "--src-range", true)
 	addparameter(rule.value.dst_range.value, "--dst-range", true)
 	addmodule({rule.value.mac_source.value}, "mac")
-	addparameter(rule.value.mac_source.value, "--mac-source", false)
+	addparameter(rule.value.mac_source.value, "--mac-source", true)
 	addmodule({rule.value.sports.value, rule.value.dports.value, rule.value.ports.value}, "multiport")
-	addparameter(rule.value.sports.value, "--sports", false)
-	addparameter(rule.value.dports.value, "--dports", false)
-	addparameter(rule.value.ports.value, "--ports", false)
+	addparameter(rule.value.sports.value, "--sports", true)
+	addparameter(rule.value.dports.value, "--dports", true)
+	addparameter(rule.value.ports.value, "--ports", true)
 	addmodule({rule.value.state.value}, "state")
 	addparameter(rule.value.state.value, "--state")
 	addmodule({rule.value.tcp_sport.value, rule.value.tcp_dport.value}, "tcp")
-	addparameter(rule.value.tcp_sport.value, "--sport", false)
-	addparameter(rule.value.tcp_dport.value, "--dport", false)
+	addparameter(rule.value.tcp_sport.value, "--sport", true)
+	addparameter(rule.value.tcp_dport.value, "--dport", true)
 	addmodule({rule.value.udp_sport.value, rule.value.udp_dport.value}, "udp")
-	addparameter(rule.value.udp_sport.value, "--sport", false)
-	addparameter(rule.value.udp_dport.value, "--dport", false)
+	addparameter(rule.value.udp_sport.value, "--sport", true)
+	addparameter(rule.value.udp_dport.value, "--dport", true)
 
 	return table.concat(spec, " ")
 end
@@ -352,7 +354,7 @@ function read_rule(tab, chain, pos)
 	retval.addrtype_src_type = cfe({ type="select", label="Source Address Type", option={"", "UNSPEC", "UNICAST", "LOCAL", "BROADCAST", "ANYCAST", "MULTICAST", "BLACKHOLE", "UNREACHABLE", "PROHIBIT"} })
 	retval.addrtype_dst_type = cfe({ type="select", label="Destination Address Type", option={"", "UNSPEC", "UNICAST", "LOCAL", "BROADCAST", "ANYCAST", "MULTICAST", "BLACKHOLE", "UNREACHABLE", "PROHIBIT"} })
 	retval.comment = cfe({ label="Comment" })
-	retval.icmp_type = cfe({ label="ICMP Type", descr="Type by name or number" })
+	retval.icmp_type = cfe({ label="ICMP Type", descr="Type by name or number. A '!' before the type inverts the test." })
 	retval.src_range = cfe({ label="Source IP Range", descr="'ip-ip' to match source IP. A '!' before the range inverts the test." })
 	retval.dst_range = cfe({ label="Destination IP Range", descr="'ip-ip' to match destination IP. A '!' before the range inverts the test." })
 	retval.mac_source = cfe({ label="Source MAC address", descr="'XX:XX:XX:XX:XX:XX' to match the ethernet source MAC. A '!' before the address inverts the test." })
@@ -412,8 +414,11 @@ function read_rule(tab, chain, pos)
 				elseif words[i] == "dst-type" then
 					retval.addrtype_dst_type.value = words[i+1]
 					i = i+1
+				elseif words[i] == "icmptype" then
+					retval.icmp_type.value = words[i+1]
+					i = i+1
 				elseif words[i] == "icmp" then
-					retval.icmp_type.value = words[i+2]
+					retval.icmp_type.value = "!" .. words[i+2]
 					i = i+2
 				elseif words[i] == "source" and words[i+1] == "IP" and words[i+2] == "range" then
 					if words[i+3] == "!" then
@@ -494,7 +499,7 @@ function create_rule(rule)
 		else
 			cmd = cmd .. " -A " .. format.escapespecialcharacters(rule.value.chain.value)
 		end
-		cmd = cmd .. " " .. format.escapespecialcharacters(spec) .. " 2>&1"
+		cmd = cmd .. " " .. spec .. " 2>&1"
 		local f = io.popen(cmd)
 		rule.errtxt = f:read("*a")
 		f:close()
@@ -517,7 +522,7 @@ function update_rule(rule)
 
 	if success then
 		local spec = generate_rule_specification(rule)
-		local cmd = path .. "iptables -t " .. format.escapespecialcharacters(rule.value.table.value) .. " -R " .. format.escapespecialcharacters(rule.value.chain.value) .. " " .. format.escapespecialcharacters(rule.value.position.value) .. " " .. format.escapespecialcharacters(spec) .. " 2>&1"
+		local cmd = path .. "iptables -t " .. format.escapespecialcharacters(rule.value.table.value) .. " -R " .. format.escapespecialcharacters(rule.value.chain.value) .. " " .. format.escapespecialcharacters(rule.value.position.value) .. " " .. spec .. " 2>&1"
 		local f = io.popen(cmd)
 		rule.errtxt = f:read("*a")
 		f:close()
-- 
cgit v1.2.3